GDPR one year on

Written by Joseph Poppy on 24/05/2019

Happy Birthday GDPR

Many of you will remember the 25th of May 2018 as the day GDPR became legally enforceable. That week, our emails were bombarded with updates to privacy policies or requests for us to ‘opt-in’ to having our data processed. Funnily enough, many of these were unnecessary and, in some cases, missed the point entirely. The most exciting part of this piece of legislation (and there were many exciting things to choose from) was the idea that regulatory bodies could fine companies up to 4% of their global turnover. So, we were poised to see titans fall and businesses ripped apart by bureaucratic arrows and their own poor decision making.

However, that has yet to happen. Since GDPR came into effect, a total of €55,955,871 worth of fines have been issued. This looks like a large number until you account for the fact that €50,000,000 of that was from one fine levied against Google. To us mortals that still seems like an exorbitant sum, but Google paid that with the change found down the back of the staff room sofa. Their 2018 revenue sat somewhere around 136 billion dollars. At the current exchange rate that comes to roughly a lot more than €50 million. On the fines front then, not a lot has happened, but has the legislation changed data protection for the better?

Since GDPR came into effect, a total of €55,955,871 worth of fines have been issued.

Report those breaches

Under Article 33 of GDPR, businesses are required to inform the relevant regulatory body of a breach within 72 hours of discovery. Since GDPR came into effect, the UK’s regulatory body, the Information Commissioner’s Office (ICO), saw a sharp rise in the number of reported breaches. The ICO received 8,000 breach notifications between May and December 2018 compared to 3,311 received from April 2017 to Mach 2018.

So, businesses are fessing up to breaches, meaning data subjects have more information as to what is going on with their information. However, unless anything is done about these breaches, or improvements are made in light of them, does this mean anything? There’s an argument to be made that simply reporting a breach doesn’t really help things if there is little to no consequence. Are businesses likely to waste time and money improving their service (in the form of notification statements), security, systems and processes if they can get away with simply reporting a breach as and when they happen?

Most companies are spared any regulatory wrath because they are seen as ‘being fully cooperative’, which is good, but also sets a precedent. There’s little incentive for a company to work at improving security. So, whilst it’s good news to see companies being ‘cooperative’ and therefore more transparent, there’s little evidence to suggest this increase in reports is helping secure data.


So, who has been fined?

Since GDPR came into effect there have been 91 fines levied in response. We have already mentioned the big ole 50 million euro fine imposed on Google towards the beginning of the year. GDPR stipulates that companies must explain clearly how data is to be collected and how it is to be used. France’s data protection regulator (CNIL) deemed Google’s approach in this regard to be lacking, stating that people were mostly unaware of what data they were sharing and how Google planned to use it. Whilst Google (or the parent company Alphabet) has huge piles of money to throw about, for most businesses, 50 million is a startling number, meaning they’re more likely to double check their privacy policy.

In October 2018, the ICO targeted Facebook with a £500,000 fine for its role in the Cambridge Analytica scandal. Facebook is another company with absurd amounts of money lying about. So much so that they don’t mind getting caught up in scandal after scandal. You can always tell when some privacy issue is imminent, as it often follows Zuckerberg stating that the company takes privacy very seriously.

The interesting thing to note here is that, whilst it was past the GDPR deadline, the issue in question occurred beforehand, meaning the company could only be held as accountable as the UK Data Protection Act would allow. £500,000 was the maximum penalty. Had the whole scandal occurred a few months later, we may have been looking at a considerably larger sum.

The remaining fines have been rather small in comparison, such as a Polish firm fined £187,000 (approximate some amount of Euros) for scraping data on individuals without their consent.

GDPR was quite a dramatic overhaul of data protection law. It’s worth noting that there were not many legal examples for regulatory bodies to build from. It’s understandable that they’re reluctant to lean too heavily into the fines at this relatively early stage when people are still trying to get to grips with the legislation (including them).

A Gavel on a laptop keyboard
GDPR is a dramatic overhaul of the legislation and people are still getting to grips with it.
GDPR stipulates that companies must explain clearly how data is to be collected and how it is to be used.

Some still don’t understand

At Bulletproof, we are still seeing people reaching out for help meeting their GDPR requirements. We usually start off with a simple GDPR gap analysis to see what stage the company is at, before moving onto implementation. What people seem to forget is, compliance is an ongoing process that requires constant engagement. Unlike my approach to parenthood, it’s not enough to just to check in every so often and think ‘seems fine’.

Businesses have to constantly review their security, keep their staff trained and update their processes. As our penetration testers are constantly reminding me (I never ask), new vulnerabilities are always coming to light. Just because you’re secure one day, doesn’t mean you’ll be secure six months later. Keeping on top of this is one of your responsibilities under GDPR.

A man selecting GDPR from a futuristic grid
GDPR isn’t always straight forward... that’s why we’re here to help!

Investigations take time

As cooking pasta has taught me, everything takes time, often much longer than you feel it ought to. The aforementioned fining of Facebook shows that misuse of data and data breaches don’t immediately come to light. In fact, it can take months for a breach to even be detected. Then regulatory bodies have to do their own investigations and see where the fault lies. Was the company doing everything they could? Were they directly responsible? How much damage was done? Did the company attempt to cover it up in anyway? All of these questions need to be answered before any fines can be decided. Whilst the statement ‘it is a complex process’, often seems like a way for people to say ‘we don’t know, please stop asking us questions’, investigating a breach is a complex process. It’s likely that we’ll start seeing fines hitting companies with greater frequency as investigations are concluded. We may even see them getting bigger.

Take the British Airways hack, for example. Whilst they successfully reported the breach within the 72-hour period and cooperated with regulatory bodies, under GDPR, they could potentially face some hefty financial repercussions. The same goes for the Marriott hack.

Compliance is an ongoing process that requires constant engagement.

Has GDPR been worth it?

I think it’s fair to say, that the level of authority GDPR has given data subjects over how their personal data is to be used is a good thing. It’s certainly something that many businesses seem to be taking seriously. Whenever I’m browsing the internet, I am constantly having to click ‘I accept’ to privacy disclaimers. Although, I don’t actually read what I’m accepting, I’m sure you don’t either. We could have both accepted responsibility for things we’re not qualified for.

In terms of whether it’s actually having an effect – well, only time will tell. Despite being agreed in 2016, we found a lot of companies only started worrying about GDPR about a day or two before the enforcement day. It’s good to know old habits die hard. We are now a year on from the enforcement date, but in terms of wide-reaching legal legislation, it’s too early to quantify its effectiveness. It’s still a legal requirement though, so don’t take this to mean you can sit back and relax. Down that path lies fines. So, if you’re still struggling with compliance, book yourself a gap analysis, schedule an implementation project or even let us fulfil your DPO responsibilities.


  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.